op-challenger, the Cannon VM with
a kona-client prestate, an op-node with SafeDB, an op-reth archive node,
and your chain’s dispute game contracts on L1.
Is this guide for you?
Use this guide if:- Your chain runs the fault proof system: a
DisputeGameFactoryis deployed and proposals are settled by dispute games. - You are responsible for the chain’s defense (chain operator) or you are an independent participant willing to put funds at stake to help secure it.
Before you start
You should already have:- Your chain’s contract addresses, in particular the
DisputeGameFactoryproxy address (automatic in Step 3 if your chain is in the superchain-registry). - An L1 account you can fund with enough ETH to post bonds (sized in Step 2), and infrastructure to run several services with persistent storage.
- Your chain’s
rollup.jsonand L2 genesis file if the chain is not in the superchain-registry.
Step 1: Understand the role you are staffing
The challenger is the honest actor in the dispute system: an autonomous agent that monitors every game, defends valid proposals, challenges invalid ones, and resolves games so bonds pay out. Read the op-challenger explainer and take away:- The five responsibilities (monitor, defend, challenge, resolve, claim
bonds), and that the challenger acts on whatever its trusted
op-nodereports, so the integrity of your rollup node is the integrity of your challenger. - That the respected game type is
cannon-kona(run with kona-host), and that the legacycannon/ op-program game type has reached end of support: op-program does not support the now-active Karst hardfork, so the kona variants are the only maintained option.
DelayedWETH
with a delay so incorrect payouts can be recovered. Your challenger is the
first line of defense, not the only one.
Step 2: Budget your bonds and fees
Every claim your challenger posts carries a bond, sent as transaction value, and correct claims are refunded while incorrect ones pay the counter-claimer. Read the bond FAQs in the explainer and take away:- The sizing logic: honest actors combined must be able to outspend an attacker, so there is no fixed safe number. Playing a single game chain to maximum depth costs about 315.6 ETH per side, and a well-funded operator keeps significant funds available at short notice rather than pre-funding everything.
- The cash-flow shape: bonds from won games pay out only after a 7-day delay, so budget for capital being locked while games resolve.
- The backstop: attackers who try to outspend honest actors lose their bonds to Guardian intervention, which is the disincentive that keeps the realistic spend far below the worst case.
Step 3: Pin your versions and prestate
The challenger refuses to interact with games whose absolute prestate it does not have, and playing with the wrong prestate loses games, so version selection is a correctness decision, not housekeeping. Check the op-challenger release history for the latest release, then read the version guidance in the configuration guide and take away which op-challenger, op-reth, and kona-client versions are compatible with your chain’s deployment. Then choose your configuration path:
For generating and verifying a prestate, follow the
absolute prestate tutorial;
for custom chains, the
kona-client custom prestate tutorial
covers embedding your chain’s configuration.
Step 4: Provision the four endpoints
The challenger consumes four services, and each has a requirement beyond “reachable RPC”. Read the key configuration flags in the configuration guide and take away, per endpoint:- L1 RPC (
--l1-eth-rpc): a trusted node that can absorb heavy request volume. The challenger signs transactions worth real fees based on what this node tells it, so “trusted” is load-bearing. - L1 beacon (
--l1-beacon): serves the blobs batches were posted in. Decide the blob-archiver question now: if your chain proposes valid outputs regularly, the roughly 18-day blob retention window is enough; if proposals can stall longer than that, a blob archiver is required or the challenger can be pushed into an unwinnable position. - L2 archive node (
--l2-eth-rpc): an op-reth archive node with the debug API and the historical-proofs store enabled and seeded before first start, sized to cover the dispute window (28 days or more). - Rollup node (
--rollup-rpc): an op-node with SafeDB enabled (--safedb.path). Take away the warning about never restoring the SafeDB from a snapshot: a SafeDB that disagrees with L1 makes the challenger attack valid outputs, and the challenger cannot detect the condition.
Step 5: Configure and start the challenger
With versions, prestate, and endpoints in hand, the configuration guide is the canonical stop. Choose your deployment form:
Follow the matching tab of the
challenger configuration guide
end to end. It covers the environment file, the startup script or compose
file, and the flag-by-flag explanations. Keep the guide’s
--trace-type
value, which includes the cannon-kona game type from Step 1, and use the
transaction signer posture you use for your other services (private key,
mnemonic, or op-signer).
Step 6: Attach monitoring
A challenger that silently stops is worse than none, because you believe you are defended. Read the dispute-mon section of chain monitoring and take away thatop-dispute-mon tracks the status of every game over the
last 28 days and is considered essential for production challenger
deployments. Alert on two conditions at minimum: games the monitor flags as
resolving against your chain, and the challenger’s account balance falling
below your Step 2 top-up threshold.
Step 7: Verify the challenger is defending
Give the challenger a few minutes against live games, then confirm each layer:- Startup health: logs show successful connection to all four endpoints and the prestate loading without warnings; the challenger refuses to play games whose prestate it lacks, and says so in the logs.
- Game visibility:
op-challenger list-games(against your L1 RPC and game factory) returns the chain’s games;list-claimsshows the claims of any in-progress game. These read-only subcommands use the same configuration as the running service, so they double as configuration checks. - Participation: for a game created after your challenger started, the
challenger either leaves a valid proposal alone or posts counter-claims
to an invalid one. On a testnet you can exercise this deliberately with
the
create-gamesubcommand and an intentionally wrong root claim. - The economic loop: after games your challenger won resolve and the
7-day delay passes,
list-creditsshows bonds owed to your challenger’s address being claimed.
Next steps
- op-challenger readme:
subcommand reference (create-game, move, resolve, run-trace) and devnet
walkthroughs beyond configuration. In-repo document on
develop, as of 2026-07-18. - There is no rendered flag catalogue for op-challenger; use
op-challenger --helpon the release you run for the authoritative flag list. - Honest challenger specification: the normative algorithm your challenger implements, for when you need to reason about what a correct response is.
- Bond incentives specification: the required-bond formula behind Step 2’s budget.
- op-dispute-mon:
the monitoring service from Step 6. In-repo document on
develop, as of 2026-07-18.